[unisog] Practical, Legitimate IP Fragmentation?

hermit921 hermit921 at yahoo.com
Wed Mar 12 18:42:54 GMT 2003


We ran into some fragmentation issues with some VPNs when they decremented 
the MTU in various amounts.  We fixed that once we figured it out.

If you do block fragments, we would like to hear about the aftermath.  It 
would provide some guidance if/when we try to do the same thing.

hermit921

At 11:58 AM 3/12/2003 -0500, Clarke Morledge wrote:
>Are there any of you maintaining a firewall at the campus edge blocking
>IP fragments from coming in (or even going out) of your network?  In view
>of the security risks associated with fragmentation, is this a good idea?
>
>Theoretically, you should always pass IP fragments due to variances in
>Maximum Transfer Units (MTU) along a traffic path.  But practically
>speaking, in a world today where Ethernet is almost everywhere, the
>chances of running into an MTU different from standard Ethernet is
>relatively small.  Granted, there are exceptions, but a consistent MTU
>intra-campus and across the Internet seems to hold.
>
>Currently, we do allow IP fragments to pass through our firewall.
>However, the risk associated with allowing fragments to pass through a
>campus edge seems high:  most router ACLs are unable to block IP fragments
>at the UDP/TCP port level, and damaging payloads can be hidden in
>fragments with some relative ease.
>
>Considering the risks, can anyone tell me in terms of "real world"
>experience why we should continue to pass fragments?  Cisco, our PIX
>firewall vendor, recommends that IP fragments be dropped if at all
>possible.  Do you agree?
>
>I do see some IP fragmentation on a regular basis, but I do not know how
>legitimate it is.  We see a number of applications, primarily streaming or
>other media applications using the Real Time Protocol (RTP), that
>habitually use large datagram sizes that have to be broken up in smaller
>pieces (IP fragmentation) to get them across our Ethernet networks.
>
>I am having a difficulty in seeing how this practice by RTP applications
>is really necessary.  It seems horribly inefficient to fragment this type
>of traffic, particularly in a "real time" application.   You drop one
>packet, you lose the whole UDP data chunk spread across multiple IP
>fragments.   Can anyone tell me why some of these RTP applications work
>this way?
>
>I am very tempted to just go ahead and block fragments and wait until
>someone screams, but I was wondering if anyone else has had any experience
>in this area.
>
>Thanks.
>
>Clarke Morledge
>College of William and Mary
>Information Technology - Network Engineering
>Jones Hall (Room 18)
>Williamsburg VA 23187
>757-221-1536
>chmorl at wm.edu



More information about the unisog mailing list